Play interactive tour

Edit tour

Analysis Report Evolution des moyens de trasport.exe

Overview

General Information

Sample Name:	Evolution des moyens de trasport.exe
Analysis ID:	385484
MD5:	e31302978d2b065f030279b481e32344
SHA1:	2677beebffc4358d31e7eecdafa29f9ca0fffbd9
SHA256:	f238e71f708ab19db8bea0e3b69bdaa13d5b74ff6e658c00cec97ec212f22c58
Infos:
Most interesting Screenshot:

Detection

Score:	4
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Antivirus or Machine Learning detection for unpacked file

PE file contains an invalid checksum

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

Evolution des moyens de trasport.exe (PID: 1256 cmdline: 'C:\Users\user\Desktop\Evolution des moyens de trasport.exe' MD5: E31302978D2B065F030279B481E32344)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: 0.0.Evolution des moyens de trasport.exe.400000.0.unpack	Avira: Label: TR/Dropper.VB.Gen
Source: 0.2.Evolution des moyens de trasport.exe.400000.0.unpack	Avira: Label: TR/Dropper.VB.Gen

Source: Evolution des moyens de trasport.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: Evolution des moyens de trasport.exe

String found in binary or memory: http://127.0.0.1:

Source: Evolution des moyens de trasport.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Evolution des moyens de trasport.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Evolution des moyens de trasport.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Evolution des moyens de trasport.exe	Binary or memory string: OriginalFileName vs Evolution des moyens de trasport.exe
Source: Evolution des moyens de trasport.exe	Binary or memory string: OriginalFilename vs Evolution des moyens de trasport.exe
Source: Evolution des moyens de trasport.exe, 00000000.00000002.329695649.0000000000401000.00000020.00020000.sdmp	Binary or memory string: interval0\VarFileInfo\Translation \StringFileInfo\ OriginalFileName watch list kill white list kill f vs Evolution des moyens de trasport.exe
Source: Evolution des moyens de trasport.exe, 00000000.00000002.329695649.0000000000401000.00000020.00020000.sdmp	Binary or memory string: OriginalFilename%q vs Evolution des moyens de trasport.exe
Source: Evolution des moyens de trasport.exe	Binary or memory string: interval0\VarFileInfo\Translation \StringFileInfo\ OriginalFileName watch list kill white list kill f vs Evolution des moyens de trasport.exe
Source: Evolution des moyens de trasport.exe	Binary or memory string: OriginalFilename%q vs Evolution des moyens de trasport.exe

Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe

Section loaded: utility.dll

Jump to behavior

Source: Evolution des moyens de trasport.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: clean4.winEXE@1/0@0/0

Source: Evolution des moyens de trasport.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Evolution des moyens de trasport.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Evolution des moyens de trasport.exe

Static file information: File size 4903529 > 1048576

Source: Evolution des moyens de trasport.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1b4000

Source: Evolution des moyens de trasport.exe

Static PE information: real checksum: 0x2219e3 should be: 0x4b9400

Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_00409010 push B0005252h; iretd	0_2_00409015
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_00403013 push 0040139Eh; ret	0_2_004030B7
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040C148 push ebx; retn 0040h	0_2_0040C149
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_00408172 push 0FC02F3Bh; ret	0_2_004082A3
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040C1C0 push 0040139Eh; ret	0_2_0040C1D3
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040C1D4 push 0040139Eh; ret	0_2_0040C1E7
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040C1E8 push 0040139Eh; ret	0_2_0040C1FB
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040C1FC push 0040139Eh; ret	0_2_0040C20F
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040C182 push 0040139Eh; ret	0_2_0040C1BF
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040C24C push 0040139Eh; ret	0_2_0040C25F
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040C260 push 0040139Eh; ret	0_2_0040C273
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040626C push 0040139Eh; ret	0_2_0040627F
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040C274 push 0040139Eh; ret	0_2_0040C287
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040C210 push 0040139Eh; ret	0_2_0040C223
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_00406215 push 0040139Eh; ret	0_2_00406293
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040621E push 0040139Eh; ret	0_2_0040626B
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040C224 push 0040139Eh; ret	0_2_0040C237
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040C238 push 0040139Eh; ret	0_2_0040C24B
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040C2C4 push 0040139Eh; ret	0_2_0040C2D7
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_004062D0 push 0040139Eh; ret	0_2_004062E3
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040C2D8 push 0040139Eh; ret	0_2_0040C2EB
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_004062E4 push 0040139Eh; ret	0_2_004062F7
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040C2EC push 0040139Eh; ret	0_2_0040C2FF
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_004062F8 push 0040139Eh; ret	0_2_0040630B
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040B286 push 0040139Eh; ret	0_2_0040B299
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040C288 push 0040139Eh; ret	0_2_0040C29B
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_00406294 push 0040139Eh; ret	0_2_004062A7
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040B29A push 0040139Eh; ret	0_2_0040B2AD
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040C29C push 0040139Eh; ret	0_2_0040C2AF
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_004062A8 push 0040139Eh; ret	0_2_004062BB
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040B2AE push 0040139Eh; ret	0_2_0040B2C1

Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: Evolution des moyens de trasport.exe, 00000000.00000002.330189742.0000000000953000.00000004.00000001.sdmp	Binary or memory string: Progman UIq
Source: Evolution des moyens de trasport.exe	Binary or memory string: Shell_TrayWnd
Source: Evolution des moyens de trasport.exe	Binary or memory string: Progman
Source: Evolution des moyens de trasport.exe, 00000000.00000002.330198231.000000000095E000.00000004.00000001.sdmp	Binary or memory string: Program Manager CC
Source: Evolution des moyens de trasport.exe, 00000000.00000002.330198231.000000000095E000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: Evolution des moyens de trasport.exe, 00000000.00000002.330189742.0000000000953000.00000004.00000001.sdmp	Binary or memory string: Progmantd
Source: Evolution des moyens de trasport.exe	Binary or memory string: shell_traywnd

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	DLL Side-Loading1	Process Injection1	Software Packing1	OS Credential Dumping	Process Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Process Injection1	LSASS Memory	System Information Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	DLL Side-Loading1	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Evolution des moyens de trasport.exe	6%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.Evolution des moyens de trasport.exe.400000.0.unpack	100%	Avira	TR/Dropper.VB.Gen		Download File
0.2.Evolution des moyens de trasport.exe.400000.0.unpack	100%	Avira	TR/Dropper.VB.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://127.0.0.1:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:	Evolution des moyens de trasport.exe	false	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	385484
Start date:	12.04.2021
Start time:	15:25:46
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Evolution des moyens de trasport.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean4.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.9% (good quality ratio 97.9%) Quality average: 83.4% Quality standard deviation: 28.6%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All VT rate limit hit for: /opt/package/joesandbox/database/analysis/385484/sample/Evolution des moyens de trasport.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.736162650882512
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Evolution des moyens de trasport.exe
File size:	4903529
MD5:	e31302978d2b065f030279b481e32344
SHA1:	2677beebffc4358d31e7eecdafa29f9ca0fffbd9
SHA256:	f238e71f708ab19db8bea0e3b69bdaa13d5b74ff6e658c00cec97ec212f22c58
SHA512:	974c009edc9526444d790432120374a934588aad2e6ad6190211051ff88fb75398c3a8e6613d70b57722ae124edf4d6f324ace1e2657014caa2081e5fb16ab04
SSDEEP:	98304:mcc0ccccoccccQccccfcccccvl/bPd4WH9LBZMTJSE7RjPrxjSfc9Jo3hr7Ohr7W:MdFNB/E7R7rxOfc9JK+ctj
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode...$....i.J.m...)zi.)zi.)zi.-Yd.(zi.Rich)zi.................PE..L....~.U.................@...@...............P....@.............W..........

File Icon


Icon Hash:	c5ddccf8fcb2f870

Static PE Info

General
Entrypoint:	0x401404
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x55C07EA6 [Tue Aug 4 08:58:14 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	0207dabeb8fc11ba1c54f26ac6d0c8df

Entrypoint Preview

Instruction
push 0040237Ch
call 00007F4F909B5C65h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
hlt
inc ebx
adc dword ptr [edi-57B857FFh], edx
popfd
mov byte ptr [9B0A62F6h], al
bound eax, dword ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [edx], cl
dec ebp
outsd
jne 00007F4F909B5CDFh
push eax
dec esp
inc ecx
pop ecx
inc ebp
push edx
add byte ptr [ecx+00h], ch
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [ecx], dh
add byte ptr [ebx+edi*4+41h], bl
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1b4b24	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1c1000	0x67508	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x220	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x19c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1b3e14	0x1b4000	False	0.185924285049	data	3.89114007151	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x1b5000	0xb2d4	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x1c1000	0x67508	0x68000	False	0.160163292518	data	4.48340916271	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x21c3c0	0xa068	data
RT_ICON	0x21bd58	0x668	dBase IV DBT of `.DBF, block length 1536, next free block index 40, next free block 33023, next used block 32512
RT_ICON	0x21ba70	0x2e8	data
RT_ICON	0x21b948	0x128	GLS_BINARY_LSB_FIRST
RT_ICON	0x209520	0x12428	dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 0, next used block 0
RT_ICON	0x208678	0xea8	data
RT_ICON	0x207dd0	0x8a8	data
RT_ICON	0x207868	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x1c5840	0x42028	dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 0, next used block 0
RT_ICON	0x1c3298	0x25a8	data
RT_ICON	0x1c21f0	0x10a8	data
RT_ICON	0x1c1d88	0x468	GLS_BINARY_LSB_FIRST
RT_STRING	0x226428	0xe0	data	English	United States
RT_GROUP_ICON	0x1c1cd8	0xb0	data
RT_VERSION	0x1c1390	0x948	data	English	United States
RT_MANIFEST	0x226508	0x2000	XML 1.0 document, ASCII text, with CRLF, CR line terminators	English	United States

Imports

DLL	Import
MSVBVM60.DLL	EVENT_SINK_GetIDsOfNames, MethCallEngine, EVENT_SINK_Invoke, Zombie_GetTypeInfo, EVENT_SINK2_Release, EVENT_SINK_AddRef, DllFunctionCall, Zombie_GetTypeInfoCount, EVENT_SINK_Release, EVENT_SINK_QueryInterface, __vbaExceptHandler, ProcCallEngine, EVENT_SINK2_AddRef

Version Infos

Description	Data
Translation	0x0409 0x04b0
LegalCopyright	2020
InternalName	Evolution des moyens de trasport
FileVersion	0.0.0.0
CompanyName	techno-flash.com
LegalTrademarks
Comments
ProductName	Associer des produits un besoin
ProductVersion	0.0.0.0
FileDescription
OriginalFilename	Evolution des moyens de trasport.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: Evolution des moyens de trasport.exe PID: 1256 Parent PID: 5804

General

Start time:	15:26:36
Start date:	12/04/2021
Path:	C:\Users\user\Desktop\Evolution des moyens de trasport.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Evolution des moyens de trasport.exe'
Imagebase:	0x400000
File size:	4903529 bytes
MD5 hash:	E31302978D2B065F030279B481E32344
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Evolution des moyens de trasport.exe PID: 1256 Parent PID: 5804 Evolution des moyens de trasport.exeCOMMON

Execution Graph

Execution Coverage:	0.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	2
Total number of Limit Nodes:	0

Executed Functions

Function 00401404, Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			_entry_() {
				signed char _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t58;
				intOrPtr* _t59;
				intOrPtr* _t60;
				signed char _t61;
				void* _t62;
				intOrPtr* _t65;
				void* _t66;
				void* _t67;
				void* _t71;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr* _t80;
				intOrPtr* _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr* _t88;
				void* _t89;
				void* _t94;
				void* _t98;

				_push(0x40237c); // executed
				L004013FE(); // executed
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 ^ _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				asm("hlt");
				_t67 = _t66 + 1;
				asm("adc [edi-0x57b857ff], edx");
				asm("popfd");
				 *0x9b0a62f6 = _t54;
				asm("bound eax, [eax]");
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t80 =  *_t80 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t85 =  *_t85 + _t80;
				asm("outsd");
				if(_t89 == 1) {
					_t80 = _t54;
					 *_t80 =  *_t80 + _t80;
					 *_t54 =  *_t54 + _t54;
					 *_t80 =  *_t80 + _t54;
					 *_t80 =  *_t80 + _t85;
					 *((intOrPtr*)(_t67 + 0x41 + _t87 * 4)) =  *((intOrPtr*)(_t67 + 0x41 + _t87 * 4)) + _t67;
					 *_t54 =  *_t54 + _t54;
					 *_t54 =  *_t54 + _t54;
					asm("invalid");
					asm("invalid");
					asm("invalid");
					 *_t54 =  *_t54 + 1;
					 *_t54 =  *_t54 + _t54;
					_t65 = _t54 + _t54;
					asm("les eax, [ecx]");
					_t78 = _t85;
					 *_t65 =  *_t65 + _t65;
					 *_t65 =  *_t65 + _t65;
					 *((intOrPtr*)(_t65 + 0x7e)) =  *((intOrPtr*)(_t65 + 0x7e)) + _t78;
					asm("sbb eax, 0x0");
					 *_t65 =  *_t65 + _t65;
					 *_t65 =  *_t65 + _t65;
					 *_t65 =  *_t65 + _t65;
					 *_t65 =  *_t65 + _t65;
					 *((intOrPtr*)(_t94 - 1 + _t85 + 0x10040)) =  *((intOrPtr*)(_t94 - 1 + _t85 + 0x10040)) + _t65;
					 *((intOrPtr*)(_t78 + 0x41 + _t87 * 4)) =  *((intOrPtr*)(_t78 + 0x41 + _t87 * 4)) + _t78;
					 *_t65 =  *_t65 + _t65;
					 *_t65 =  *_t65 + _t65;
					asm("invalid");
					asm("invalid");
					asm("invalid");
					 *_t65 =  *_t65 + 1;
					 *_t65 =  *_t65 + _t65;
					 *((intOrPtr*)(_t65 - 0x73ffbe38)) =  *((intOrPtr*)(_t65 - 0x73ffbe38)) + _t65;
					_pop(_t87);
					_pop(_t67);
					 *_t65 =  *_t65 + _t65;
					 *_t65 =  *_t65 + _t65;
					 *_t65 =  *_t65 + _t85;
					_push(_t85);
					_t54 =  *_t80;
					 *_t80 = _t65;
				}
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t85 =  *_t85 + _t67;
				 *((intOrPtr*)(_t67 + 0x41 + _t87 * 4)) =  *((intOrPtr*)(_t67 + 0x41 + _t87 * 4)) + _t67;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				asm("invalid");
				do {
					asm("invalid");
					asm("invalid");
					asm("invalid");
					 *_t54 =  *_t54 + _t54;
					 *_t54 =  *_t54 + _t54;
					 *_t80 = 0x4c;
					_pop(_t88);
					 *_t54 =  *_t54 + _t54;
					 *_t54 =  *_t54 + _t54;
					 *_t54 =  *_t54 + _t85;
					_t85 = _t85 |  *(_t87 + 1);
					 *_t54 =  *_t54 + _t54;
					 *_t54 =  *_t54 + _t54;
					 *_t54 =  *_t54 + _t54;
					 *_t54 =  *_t54 + _t54;
					_t54 = _t54 + _t85;
					asm("adc al, 0x40");
					 *_t80 =  *_t80 + _t54;
					 *((intOrPtr*)(_t54 + _t54)) =  *((intOrPtr*)(_t54 + _t54)) + _t54;
					 *_t54 =  *_t54 + _t54;
					asm("invalid");
					asm("invalid");
					asm("invalid");
					asm("invalid");
					 *_t54 =  *_t54 + _t54;
					 *_t54 =  *_t54 + _t54;
				} while ( *_t54 < 0);
				_t81 = _t80 + 1;
				_t55 = _t54 + _t85;
				_t71 = _t55;
				 *_t55 =  *_t55 + _t55;
				 *_t55 =  *_t55 + _t55;
				_t57 = _t55 + _t71 - 0xdb;
				 *_t57 =  *_t57 + _t57;
				 *_t57 =  *_t57 + _t57;
				 *_t57 =  *_t57 + _t57;
				 *_t57 =  *_t57 + _t57;
				 *_t57 =  *_t57 + _t57;
				 *_t57 =  *_t57 + _t57;
				 *((intOrPtr*)(_t85 + 0x10040)) =  *((intOrPtr*)(_t85 + 0x10040)) + _t81;
				_pop(es);
				 *((intOrPtr*)(0x41 + 0x41 + _t87 * 4)) =  *((intOrPtr*)(_t71 + 0x41 + _t87 * 4)) + _t71;
				 *_t57 =  *_t57 + _t57;
				 *_t57 =  *_t57 + _t57;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t57 =  *_t57 + 1;
				 *_t57 =  *_t57 + _t57;
				 *_t57 =  *_t57 + _t57;
				_pop(_t73);
				 *_t57 =  *_t57 + _t57;
				 *_t57 =  *_t57 + _t57;
				 *((intOrPtr*)(_t57 + 0x7f)) =  *((intOrPtr*)(_t57 + 0x7f)) + _t85;
				_t58 = _t81;
				 *_t58 =  *_t58 + _t58;
				 *_t58 =  *_t58 + _t58;
				 *_t58 =  *_t58 + _t58;
				 *_t58 =  *_t58 + _t58;
				 *_t58 =  *_t58 + _t58;
				 *_t58 =  *_t58 + _t58;
				asm("adc eax, 0x10040");
				_pop(ss);
				 *((intOrPtr*)(0x41 + 0x41 + _t87 * 4)) =  *((intOrPtr*)(_t73 + 0x41 + _t87 * 4)) + _t73;
				 *_t58 =  *_t58 + _t58;
				 *_t58 =  *_t58 + _t58;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t58 =  *_t58 + 1;
				 *_t58 =  *_t58 + _t58;
				 *_t58 =  *_t58 + _t58;
				asm("rol byte [ecx], 0x6c");
				_t75 = _t58;
				 *_t58 =  *_t58 + _t58;
				 *_t58 =  *_t58 + _t58;
				_t59 = _t58 + _t58;
				 *_t59 =  *_t59 + _t59;
				 *_t59 =  *_t59 + _t59;
				 *_t59 =  *_t59 + _t59;
				 *_t59 =  *_t59 + _t59;
				 *((intOrPtr*)(0x51300041 + _t85 + 0x10040)) =  *((intOrPtr*)(0x51300041 + _t85 + 0x10040)) + _t75;
				_t60 = _t59 +  *_t59;
				 *_t60 =  *_t60 + _t60;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t60 =  *_t60 + _t60;
				 *_t60 =  *_t60 + _t60;
				asm("adc [ecx+eax*2+0x5b50d400], bh");
				 *_t85 =  *_t85 + _t60;
				 *_t60 =  *_t60 + _t60;
				_t61 = _t60 + 0x41;
				asm("adc eax, 0x20040");
				 *_t61 =  *_t61 & _t61;
				 *_t61 =  *_t61 + _t61;
				 *_t61 =  *_t61 + _t61;
				_pop(_t98);
				asm("repe salc");
				asm("adc eax, 0xe6580040");
				_t62 = _t61 + 1;
				 *_t88 =  *_t88 + _t62;
				 *0x01004065 =  *((intOrPtr*)(_t98 + _t85 + 0x51)) + _t62 + 1;
				asm("fst qword [ecx]");
				goto __ecx;
			}

0x00401404
0x00401409
0x0040140e
0x00401410
0x00401412
0x00401414
0x00401416
0x0040141a
0x0040141c
0x0040141e
0x00401420
0x00401421
0x00401422
0x00401429
0x0040142a
0x0040142f
0x00401431
0x00401433
0x00401435
0x00401437
0x00401439
0x0040143c
0x0040143d
0x00401443
0x00401446
0x00401449
0x0040144b
0x0040144d
0x0040144f
0x00401453
0x00401455
0x00401459
0x0040145b
0x0040145d
0x0040145f
0x00401461
0x00401463
0x00401465
0x0040146a
0x0040146b
0x0040146d
0x0040146f
0x00401472
0x00401477
0x00401479
0x0040147b
0x0040147d
0x0040147f
0x00401487
0x0040148b
0x0040148d
0x00401491
0x00401493
0x00401495
0x00401497
0x00401499
0x0040149b
0x004014a1
0x004014a2
0x004014a3
0x004014a5
0x004014a7
0x004014a9
0x004014aa
0x004014aa
0x004014aa
0x004014ac
0x004014ae
0x004014b0
0x004014b2
0x004014b4
0x004014b6
0x004014bd
0x004014bf
0x004014c3
0x004014c5
0x004014c9
0x004014ca
0x004014ca
0x004014cc
0x004014ce
0x004014d0
0x004014d2
0x004014d5
0x004014d9
0x004014db
0x004014dd
0x004014df
0x004014e1
0x004014e7
0x004014e9
0x004014eb
0x004014ed
0x004014ef
0x004014f1
0x004014f3
0x004014f5
0x004014fe
0x00401500
0x00401502
0x00401504
0x00401506
0x00401508
0x0040150a
0x0040150a
0x0040150e
0x0040150f
0x00401512
0x00401513
0x00401515
0x00401519
0x0040151b
0x0040151d
0x0040151f
0x00401521
0x00401523
0x00401525
0x00401527
0x0040152e
0x0040152f
0x00401533
0x00401535
0x00401539
0x0040153b
0x0040153d
0x0040153f
0x00401541
0x00401543
0x0040154a
0x0040154b
0x0040154d
0x0040154f
0x00401552
0x00401554
0x00401556
0x00401558
0x0040155a
0x0040155c
0x0040155e
0x00401560
0x00401566
0x00401567
0x0040156b
0x0040156d
0x00401571
0x00401573
0x00401575
0x00401577
0x00401579
0x0040157b
0x0040157d
0x00401582
0x00401583
0x00401585
0x00401587
0x0040158f
0x00401591
0x00401593
0x00401595
0x00401597
0x0040159e
0x004015a6
0x004015a8
0x004015aa
0x004015ac
0x004015ae
0x004015b0
0x004015b2
0x004015b4
0x004015bb
0x004015bd
0x004015bf
0x004015c1
0x004015c6
0x004015c8
0x004015ca
0x004015cc
0x004015cd
0x004015d1
0x004015d6
0x004015d7
0x004015db
0x004015e1
0x004015ee

APIs

#100.MSVBVM60(0040237C), ref: 00401409

Memory Dump Source

Source File: 00000000.00000002.329695649.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.329691693.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.329733642.0000000000441000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.329742012.0000000000448000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.329746626.000000000044E000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.329754905.000000000045B000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.329761461.000000000046C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.329787356.000000000049F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.329791929.00000000004A1000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.329797258.00000000004A6000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.329803334.00000000004AD000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.329809079.00000000004B3000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.329818513.00000000004C0000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.329825638.00000000004D0000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.329848530.0000000000504000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.329930683.00000000005B5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.329936897.00000000005C1000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.329975497.000000000060D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.329987725.000000000061A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.329993804.000000000061E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.330001790.0000000000625000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Evolution des moyens de trasport.jbxd

Similarity

API ID: #100
String ID:
API String ID: 1341478452-0
Opcode ID: ea6cd314c7d8d2e47cae5d9ddf2f83a718f2ac98e7ec525f2e71521a294aeab7
Instruction ID: 32fae98aea9081f513a46293bcb1ea948556e200f69d378d41d7a936b0ffc720
Opcode Fuzzy Hash: ea6cd314c7d8d2e47cae5d9ddf2f83a718f2ac98e7ec525f2e71521a294aeab7
Instruction Fuzzy Hash: F6013DA684E3C18FC3038B305C395113F708D2320531E41EBC9D2DA1A3E52D685AD337

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Evolution des moyens de trasport.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: Evolution des moyens de trasport.exe PID: 1256 Parent PID: 5804

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: Evolution des moyens de trasport.exe PID: 1256 Parent PID: 5804 Evolution des moyens de trasport.exeCOMMON

Execution Graph

Graph

Executed Functions

Function 00401404, Relevance: 1.6, APIs: 1, Instructions: 51
COMMON